Netizen Threat Brief: 11 April 2018 Edition
Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:
- Remote Keyboard App Vulnerability
- Cisco Switch Flaw
- Mirai Botnet
- Matrix Ransomware
- Auth0 Bypass Vulnerability
1. Remote Keyboard App Vulnerability
A popular Android and iOS app known as Intel Remote Keyboard has come under siege as it has been discovered that local attackers can actually inject keystrokes into a remote keyboard session when the application is in use. The app is compatible with Intel’s min-PC platform called Next Unit of Computing (NUC) as well as Intel’s Compute Stick.
The Intel Remote Keyboard application allows Android and iOS users to control their NUC and other Compute Stick devices with their smartphone or tablet using what is known as the peer-to-peer (P2P) network Protocol via Wi-Fi Direct. It was later discovered that a critical escalation of privilege vulnerability was possible in all versions of the Intel Remote Keyboard app. This critical vulnerability would allow an attacker to inject keystrokes as if they were a local user.
In addition to the main vulnerability, two other bugs had been found, granting the attackers the access to execute arbitrary code as a privileged user. Despite the rollout of patches in response to these glaring threats, Intel has intentions of discontinuing the application. There is still a product page for Remote Keyboard, and it is still available for download despite Intel’s statement. We recommend not downloading this app to completely prevent the risk of keyboard injections. If the application is already downloaded, we recommend entirely deleting the app altogether.
2. Cisco Switch Flaw
Hackers haven begun to exploit and abuse a flaw in misconfigured Cisco switches in an effort to gain a point of entry into organizations across the world. A prior US-CERT advisory had warned that “Russian government cyber actors” and have targeted and infiltrated active organizations in the US energy grid, among other critical infrastructure networks. It is believed that the most recent exploitation of these Cisco switches are related to the same group.
The attack itself targets the Cisco Smart Install (SMI) Client functionality of the Cisco switches. SMI is a legacy utility that is designed to allow a no-touch installation of Cisco switches. The SMI feature has since been superseded by the Cisco Network Plug and Play solution. The problem, however, is not inherent in the switches themselves, but rather in how they are configured. Many Cisco switch owners do not configure or disable the Smart Install protocol, which leaves the SMI client to run and wait in the background for installation or configuration commands. This overlooked switch configuration allows hackers to:
- Modify TFTP server setting to exfiltrate configuration files via the TFTP protocol
- Modify the switch general configuration file
- Replace the IOS operating system image
- Set up local accounts to let attackers log in and execute any IOS commands
Cisco has released the information that over 168,000 SMI-enabled Cisco devices still exist and are exposed on the Internet. We recommend disabling the SMI feature on the Cisco switch if at all possible; SMI operates on port 4786. Instructions for disabling the functionality can be found here: http://blog.talosintelligence.com/2018/04/critical-infrastructure-at-risk.html
If SMI cannot be disabled for operational reasons, the switch should then be updated to its most recent OS version, which fixes this flaw as well. If it is unknown whether or not SMI-enabled devices exist on the local network, a port scan of the LAN should be able to discover any that allow this utility.
3. Mirai Botnet
A botnet variant, known as Mirai, was used in at least one major attack against a financial sector company this past January. This is quite possibly the first time an Internet of Things (IoT) botnet has been observed to use a Distributed Denial of Service (DDoS) attack since a previous Mirai botnet takedown of multiple websites in 2017.
The first attack, DNS amplification, occurred in late January of this year. A DNS amplification attack is a reflection-based DDoS attack; look-up requests are spoofed to DNS servers to hide the source of the exploit and direct the response to the target. The second attack targeted a financial sector company which had experienced a DDoS attack, likely using the same botnet.
The companies affected were not identified, however it was disclosed that they are Fortune 500 firms. It was discovered that at least seven IP addresses acted as the controllers for the botnet and more likely than not were involved in the coordination of the attack. One of the companies had their customer services temporarily disrupted, but the full extent of financial or network damage is currently not yet known.
While this is the first botnet DDoS this year, it is reported that creators of a botnet made of infected home and small office routers are selling DDoS attacks for just $20 per target. Popular website and leading software development platform, Github, was also struck with a massive DDoS attack this past March. We recommend implementing the following strategies to any organizations using IoT devices to mitigate the risk of their devices being hacked by a botnet:
- Always replace default manufacturer passwords immediately upon use.
- Keep the firmware for devices current and up to date.
- For IP camera and similar systems that require remote access, invest in a VPN.
- Disable unnecessary services (e.g., Telnet) and close ports that are not required for the IoT device.
4. Matrix Ransomware
Two new variants of Matrix Ransomware have recently been revealed. The malware is being installed through hacked Remote Desktop services (RDP). Both of these variants encrypt your computer’s files, characteristic of ransomware, however one of these variants is a bit more advanced and debugs more messages and uses ciphers to wipe free space disallowing victims the ability to use file recovery tools to recover their files.
According to reports, this particular strain of ransomware is currently being distributed to victims by way of brute force attacks on Remote Desktop services connected directly to the internet. Once the attackers gain access to a computer, they can then proceed with uploading the Matrix Ransomware installer and then execute it.
As mentioned previously, the two variants of the malware are being installed over a hacked RDP session where they then encrypt unmapped network shares, display status windows while encrypting, clear shadow volume copies, and then encrypt the filenames.
When protecting a company from ransomware, it is always good practice to use proper computing habits and security software. If computers running Remote Desktop services are connected directly to the Internet, make sure they are behind VPNs so that they are only accessible to those with VPN accounts on the company network. It would be useful to employ lockout policies to avert any brute force attack attempts over RDP. A strong defense would also include the implementation of an Antivirus software that operates based on recognized signatures or behaviors. We also recommend:
- Employ routine backups
- Do not open attachments if you do not know who sent them.
- Do not open attachments until you confirm that the person actually sent you them,
- Scan attachments with tools like VirusTotal.
- Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors, therefore it is important to keep them updated.
- Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if you’re willing to stick with it, could have the biggest payoffs.
- Use hard passwords and never reuse the same password on multiple sites.
Matrix Ransomware variant hashes:
- Variant 1: a26087bb88d654cd702f945e43d7feebd98cfc50531d2cdc0afa2b0437d25eea
- Variant 2: 996ea85f12a17e8267dcc32eae9ad20cff44115182e707153006162711fbe3c9
Associated email addresses:
How can Netizen help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.